How to Secure a Spring Rest Project With Keycloak
1. Overview In this blog, we will cover the basics of securing a Spring project with Keycloak using keycloak-spring-boot-starter and ...

1. Overview
2. Limitation
3. The Spring Boot Project
For a more detailed instruction on how to setup the Keycloak Spring boot starter you may check: https://www.keycloak.org/docs/latest/securing_apps/index.html#_spring_boot_adapter.
<properties> <java.version>11</java.version> <keycloak.version>4.8.1.Final</keycloak.version> </properties> <dependencies> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-actuator</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-web</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency> <dependency> <groupId>org.keycloak</groupId> <artifactId>keycloak-spring-boot-starter</artifactId> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-devtools</artifactId> <scope>runtime</scope> </dependency> <dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-test</artifactId> <scope>test</scope> </dependency> </dependencies> <dependencyManagement> <dependencies> <dependency> <groupId>org.keycloak.bom</groupId> <artifactId>keycloak-adapter-bom</artifactId> <version>${keycloak.version}</version> <type>pom</type> <scope>import</scope> </dependency> </dependencies> </dependencyManagement>
3.1 Configuration
3.1.1 Using Keycloak Spring Boot Starter
keycloak: enabled: true realm: dev auth-server-url: http://localhost:8083/auth ssl-required: external resource: dev-api bearer-only: true confidential-port: 0 use-resource-role-mappings: false principal-attribute: preferred_username cors: true security-constraints: - auth-roles: - User security-collections: - name: unsecured patterns: - /users - auth-roles: - Admin security-collections: - name: secured patterns: - /admin logging: level: org.apache.catalina: DEBUG
In this example configuration, we define 2 URL patterns /users and /admin which are both secured by their respective roles. Take note that security-constraint is composed of auth-roles and security-collections array.
Enabling the log on org.apache.catalina will let us see the security check on the given URL when we invoke the API.
At the same time, if we set the config resolver to KeycloakSpringBootConfigResolver, then we can also configure the HttpSecurity.
Below is part of the class that extends KeycloakWebSecurityConfigurerAdapter. Keycloak provides this base class for easier configuration as well as the @KeycloakConfiguration annotation.
@Bean public KeycloakConfigResolver keycloakConfigResolver() { return new KeycloakSpringBootConfigResolver(); } @Override protected void configure(HttpSecurity http) throws Exception { super.configure(http); http.cors() // .and() // .csrf().disable() // .anonymous().disable() // .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // .and() // .authorizeRequests() // .antMatchers("/users*").hasRole("USER") // .antMatchers("/admin*").hasRole("ADMIN") // .anyRequest().denyAll(); // }
3.1.2 Using Keycloak Spring Security Adapter
<dependency> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-security</artifactId> </dependency>
Delete the Keycloak related configurations in application.yml including the security constraints. And remove the keycloakConfigResolver bean, as this tells Spring to ignore the keycloak.json file. This will leave us with the security in method configure(HttpSecurity http), which is still good.
By default, the project will look for a keycloak.json file inside the WEB-INF folder, but since the project is of jar type, this folder is not available, so we need to set a system variable in Spring STS:
keycloak.configurationFile=classpath:keycloak.json
And make sure that we have the keycloak.json file inside our src/main/resources folder.
The complete source code is available at Github: https://github.com/czetsuya/Spring-Keycloak-with-REST-API
1 comment
Hi Sir,
I have mailed you regarding keycloak,kindly assist me.
Thanks
Post a Comment